Tech Support Guy banner
Status
Not open for further replies.
1 - 14 of 14 Posts

·
Registered
Joined
·
96 Posts
Discussion Starter · #1 ·
I am currently running in Safe Mode, on v.1289 of x64 Windows XP. The reason? When I boot up, it is fine. When I get to the Welcome Screen, it is fine. When I Log On, it is fine.. for about 3 seconds. Then it all locks up, and the cursor (still visible, and moving - albeit at a refresh a second) cannot do anything. Ctrl-Alt-Del or Ctrl-Esc do nothing either. Not fun... I can get all of the usual programs to work, but they show no problems.. None fixable anyway. All programs are set to advanced, with thourough scanning to throw up anything. Nothing on spybot, Adaware, HJT... When I use Avast! v4.6, it shows up a couple of JS-7 ClassLoggers (?), which cannot be repaired, or deleted. HELP!

In the meantime, is there a way to run Safe Mode in higher res? I can cope without the features, but this resolution (640x480) is appalling.

Edit: I discovered how the (maybe) virus got in. A nameless sibling has been fiddling with my msconfig: Avast! had been removed. Gar. a memo to all: NEVER browse teh interweb without an antivirus program. Seems obvious...
 

·
Registered
Joined
·
96 Posts
Discussion Starter · #3 ·
Here it is, in all it's glory.

Logfile of HijackThis v1.99.1
Scan saved at 09:19:01, on 24/06/2005
Platform: Windows 2003 SP1, v.1289 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1289)

Running processes:
G:\MOZILLA\NEWFOL~1\FIREFOX.EXE
C:\Documents and Settings\Alex\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://music.yahoo.com/launchcast/station.asp?edit=1&u=1475197534
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://loginnet.passport.com/ppsecure/md5auth.srf?lc=1033
O4 - HKLM\..\Run: [avast!] G:\Avast!\ashDisp.exe
O4 - HKLM\..\Run: [MessengerPlus3] "G:\MSN Plus!\MsgPlus.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - G:\Avast!\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - G:\Avast!\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - G:\Avast!\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - G:\Avast!\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: IIS Admin Service (IISADMIN) - Unknown owner - C:\WINDOWS\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINDOWS\System32\snmptrap.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

Enjoy. I scan every couple of days, thats why there's less fluff than some peoples logs.. :)
 

·
Registered
Joined
·
96 Posts
Discussion Starter · #4 ·
Oh, and if anyobne asks, yes, you can get internet access in safe mode. Just enable networking.
 

·
Registered
Joined
·
96 Posts
Discussion Starter · #6 ·
This is a callout for a log expert... HELP!! See above for log.
 

·
Registered
Joined
·
96 Posts
Discussion Starter · #7 ·
That which I am most disturbed by are the "innocent" O23 entries... according to the linked site that blue harp gave, they can be confused for system files.. but should not show up here. This implies that they are indeed malicious, and are causing the problem. However, as they bear striking resemblance to system files, I do not wish to run the gauntlet and wipe them from system32 with my fingers crossed...

Edit: They do not remove whilst using HJT. Ditto nvappfilter... even with the lspfix...

Edit: Ok, I got the nvappfilters... just the O23s to go.

Edit: OK, I know this sounds really stupid, but I decided to wipe the whole list. None of the files corresponded with previous scans, so I figured that none were totally vital. Most of them were preferences anyway: homepage and whathaveyou. So, I blammed it: here is the "new" log.

Logfile of HijackThis v1.99.1
Scan saved at 22:01:39, on 24/06/2005
Platform: Windows 2003 SP1, v.1289 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1289)

Running processes:
C:\Documents and Settings\Alex\Desktop\HijackThis.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - G:\Avast!\aswUpdSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: IIS Admin Service (IISADMIN) - Unknown owner - C:\WINDOWS\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINDOWS\System32\snmptrap.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
 

·
Registered
Joined
·
429 Posts
have you run any antispy programs? Just curious...

I'd be the first to say that you log looks like a mess... for all I know it could be a perfectly normal look to XP64... but I dont think it is... there is just too much 'stuff' there to be normal.

You may want to contact a Mod and have this moved to Security... you might get more help there, just a thought.
 

·
Registered
Joined
·
96 Posts
Discussion Starter · #9 ·
I agree Banner guy. One thing: after some more web rootling, I found that none of those on the list are bad: however - the fact that they are missing is. Yet clearly they are not. I crack open system32, and hey presto... they are there. Hmm.
 

·
Registered
Joined
·
96 Posts
Discussion Starter · #12 ·
So why SIX entries..? Meh, I came out of that small explosion... not exactly smiling... bearing the same grimace as before. There is a BACKUP folder for a reason.

By the way... Do any of you know of a freeware registry scanner/fixer? Just I have been caught so many times by programs which find 20kazillion (yes, one actually said kazillion...) errors, then say pay US$5.00 to fix.

And my system quite clearly is not trashed. I'm using the said "trashed" PC (in safe mode) to tell you that it is... OK.. ish.
 

·
Registered
Joined
·
96 Posts
Discussion Starter · #14 ·
The Reg cleaner worked quite well... it runs: ish. It takes over a minute to get start to open :( But at least it does now. I have downloaded sysinternals to have a look at my running processes, as taskmanager threw up nothing odd... aside from the total being 100%, and there being 0% of CPU used. Apparently. Now, sysinternals tells me that 99.xx% is being used by DPCs (Deferred Procedure Calls). Is this normal?
 
1 - 14 of 14 Posts
Status
Not open for further replies.
Top